From c2158532caef21e099c0a05c103848ed9489600b Mon Sep 17 00:00:00 2001 From: William Quan Date: Mon, 17 Apr 2023 15:40:51 -0700 Subject: [PATCH] Updated to version v3.2.5 --- CHANGELOG.md | 4 ++++ .../aws-waf-security-automations.template | 17 ++++++++++++++++- source/custom_resource/custom-resource.py | 5 +++-- source/helper/helper.py | 3 ++- source/lib/solution_metrics.py | 2 +- .../reputation_lists_parser/reputation-lists.py | 5 +++-- source/timer/timer.py | 3 ++- 7 files changed, 31 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c0b3d820..c43ec5a7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,10 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [3.2.5] - 2023-04-18 +### Patched +- Patch s3 logging bucket settings +- Updated the timeout for requests ## [3.2.4] - 2023-02-06 ### Changed - Upgraded pytest to mitigate CVE-2022-42969 diff --git a/deployment/aws-waf-security-automations.template b/deployment/aws-waf-security-automations.template index b11e35b7..8c650057 100644 --- a/deployment/aws-waf-security-automations.template +++ b/deployment/aws-waf-security-automations.template @@ -1289,7 +1289,6 @@ Resources: DeletionPolicy: Retain UpdateReplacePolicy: Retain Properties: - AccessControl: LogDeliveryWrite BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: @@ -1323,6 +1322,22 @@ Resources: - !GetAtt AccessLoggingBucket.Arn - !Join ["/", [!GetAtt AccessLoggingBucket.Arn, "*"]] Sid: HttpsOnly + - Sid: S3ServerAccessLogsPolicy + Effect: Allow + Principal: + Service: logging.s3.amazonaws.com + Action: + - s3:PutObject + Resource: + - !GetAtt AccessLoggingBucket.Arn + - !Join ["/", [!GetAtt AccessLoggingBucket.Arn, "*"]] + Condition: + ArnLike: + aws:SourceArn: + - !If [HttpFloodProtectionLogParserActivated, !GetAtt WafLogBucket.Arn, !GetAtt AccessLoggingBucket.Arn] + - !Join ["", ["arn:aws:s3:::", !Ref AppAccessLogBucket]] + StringEquals: + aws:SourceAccount: !Ref 'AWS::AccountId' Version: '2012-10-17' LogParser: diff --git a/source/custom_resource/custom-resource.py b/source/custom_resource/custom-resource.py index 09881d32..d3b8a396 100644 --- a/source/custom_resource/custom-resource.py +++ b/source/custom_resource/custom-resource.py @@ -125,7 +125,7 @@ def put_s3_bucket_access_logging(log, s3_client, bucket_name, access_logging_buc BucketLoggingStatus={ 'LoggingEnabled': { 'TargetBucket': access_logging_bucket_name, - 'TargetPrefix': 'AppAccess_Logs' + 'TargetPrefix': 'AppAccess_Logs/' } } ) @@ -423,7 +423,8 @@ def send_response(log, event, context, responseStatus, responseData, resourceId, try: response = requests.put(responseUrl, data=json_responseBody, - headers=headers) + headers=headers, + timeout=600) log.debug("Status code: " + response.reason) except Exception as error: diff --git a/source/helper/helper.py b/source/helper/helper.py index 7ab6c87b..7234e3c8 100644 --- a/source/helper/helper.py +++ b/source/helper/helper.py @@ -201,7 +201,8 @@ def send_response(log, event, context, responseStatus, responseData, resourceId, try: response = requests.put(responseUrl, data=json_responseBody, - headers=headers) + headers=headers, + timeout=600) log.debug("Status code: " + response.reason) except Exception as error: diff --git a/source/lib/solution_metrics.py b/source/lib/solution_metrics.py index c2fab3f8..7d0dc475 100644 --- a/source/lib/solution_metrics.py +++ b/source/lib/solution_metrics.py @@ -46,7 +46,7 @@ def send_metrics(data, } json_data = dumps(metrics_data) headers = {'content-type': 'application/json'} - response = requests.post(url, data=json_data, headers=headers) + response = requests.post(url, data=json_data, headers=headers, timeout=300) return response except Exception as e: log.error("[solution_metrics:send_metrics] Failed to send solution metrics.") diff --git a/source/reputation_lists_parser/reputation-lists.py b/source/reputation_lists_parser/reputation-lists.py index ff64d785..ad4792a8 100644 --- a/source/reputation_lists_parser/reputation-lists.py +++ b/source/reputation_lists_parser/reputation-lists.py @@ -44,7 +44,7 @@ def find_ips(line, prefix=""): def read_url_list(log, current_list, url, prefix=""): try: log.info("[read_url_list]reading url " + url) - file = requests.get(url) + file = requests.get(url, timeout=600) new_ip_count = 0 line_count = 0 current_ip_count = len(current_list) @@ -149,7 +149,8 @@ def send_response(log, event, context, responseStatus, responseData, resourceId, try: response = requests.put(responseUrl, data=json_responseBody, - headers=headers) + headers=headers, + timeout=600) log.debug("Status code: " + response.reason) except Exception as error: diff --git a/source/timer/timer.py b/source/timer/timer.py index 73bc93ad..b969a255 100644 --- a/source/timer/timer.py +++ b/source/timer/timer.py @@ -48,7 +48,8 @@ def send_response(log, event, context, responseStatus, responseData, resourceId, try: response = requests.put(responseUrl, data=json_responseBody, - headers=headers) + headers=headers, + timeout=600) log.debug("Status code: " + response.reason) except Exception as error: